OAuth 2.0 Authorization
Hub implementation of OAuth 2.0 supports several authentication/authorization flow. To access resources of Hub itself and services connected to Hub, a client should obtain an access token. The flow that the client may use depends on:
- What information the client has (service credentials / user credentials).
- Where from the client access resources (from a browser / from the server side / from a standalone application).
What Flow to Use?
| You develop... | Flow to use | Required parameters | Additional requirement |
|---|---|---|---|
| A rich client web application with all authorization logic in browser | Implicit flow | service id | Handle in browser request with a grant from Hub |
| A web application with the authorization login on the server side | Authorization Code flow | service id, service secret | Handle request with a grant from Hub server on server side |
| A desktop or a mobile application able to request authorization token non-interactively | Refresh Token flow | service id, service secret | Handle request with a grant from Hub server on server side |
| A script that needs to access resources on behalf of itself | Client Credentials flow | service id, service secret | None |
| A script that needs to access resources on behalf of some user | Resource Owner Password Credentials flow | service id, service secret, username and password | None |
What Information You Should Have
OAuth 2.0 Endpoints for Hub
For the Hub service, the OAuth 2.0 endpoints for authentication and token are:
- Authentication endpoint URL:
<Hub Service URL>/api/rest/oauth2/auth - Token endpoint URL:
<Hub Service URL>/api/rest/oauth2/token
<Hub Service URL> is the URL that is configured for the Hub service in your network environment. For example, you have your company's server www.mycompany.com and a Hub service. You can configure Hub to be accessible by www.mycompany.com/hub or, let's say hub.mycompany.com. Subsequently, the OAuth 2.0 endpoints are as follows, respectively:
- For
www.mycompany.com/hub:https://www.mycompany.com/hub/api/rest/oauth2/authandhttps://www.mycompany.com/hub/api/rest/oauth2/token - For
hub.mycompany.com:https://hub.mycompany.com/api/rest/oauth2/authandhttps://hub.mycompany.com/api/rest/oauth2/token.
Register Client as a Service
To enable authorization you should register your client as a Hub service. You can do it either in administrative UI or programmatically. Basically, you just send POST request on /services URL and get credentials of the newly created service in response.
Sample script for registering client as a service
The following sample script considers Hub service to be installed to https://hub.company.com and a client OAuth 2.0 service - to https://myservice.company.com.
Request
POST /api/rest/services?fields=id,secret HTTP/1.1
Host: hub.company.com
Accept: application/json
Content-Type: application/json
{
"name": "My Service",
"homeUrl": "https://myservice.company.com",
"redirectUris": ["https://myservice.company.com/authorized"],
"applicationName": "My Service",
"vendor": "Company Inc.",
"version": "1.0"
}Response
{
"id": "98071167-004c-4ddf-ba37-5d4599fdf319",
"secret": "eAUyKgVfhSbV"
}You can later use service's id and secret for authorization.
Service in Hub can be either trusted or not. If a service is trusted, then it can access Hub resource servers on behalf of itself. Also, when a user is sent from the trusted service to authorize himself, the user sees no additional warning.